Search code examples
dockercontainersvpnopenvpn

Route Docker Container traffic through a VPN container

I've installed a couple of containers on my RockPro64 (ARMv8 Processor rev 2(v8|) running openmediavault (version 4.1.27-1 Arrakis). Everything is working like a charm.

Containers that I use include Transmission, Jellyfin, Radarr, Sonarr, Jackett... et cetera. I would like to be able to connect those containers through a VPN, so that the connection is more private.

The ideal scenario would be that I have one 'VPN-container' that connects with my VPN provider (at the moment this is PIA, but I would like to have a flexible solution). My other containers will connect to the internet through this container so that they have a VPN-connection.

Maybe it is worth mentioning that I have two containers (Jellyfin & Nextcloud) that I can reach from outside through the internet on a domain name. Maybe it will be different to connect those through a VPN.

I could not find any clear guides that provide a solution for my set-up. I hope someone can give some ideas on where to start or share a guide that could work for me.

Solution

  • I run radarr, sonarr, lidarr, bazarr, pyload, deluge, jellyfin, jackett, airsonic containers behind PIA vpn through https://github.com/qdm12/gluetun (on amd64, but images for arm64 are provided as well).

    It's well documented and actively maintained. It supports Private Internet Access, Mullvad, Windscribe, Surfshark, Cyberghost, Vyprvpn, NordVPN, PureVPN and Privado at the moment of writing this.

    for gluetun container I use this to expose the ports:

    version: '3.7'
services:
  gluetun:
    image: qmcgaw/private-internet-access
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    network_mode: bridge
    ports:
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
      - 8000:8000/tcp # Built-in HTTP control server
# other containers ports
      - 8112:8112     # deluge webui
      - 58846:58846   # deluge daemon
      - 6767:6767     # bazarr
      - 8989:8989     # sonarr
      - 7878:7878     # radarr
      - 8686:8686     # lidarr
      - 9117:9117     # jackett
      - 4040:4040     # airsonic
      - 8096:8096     # jellyfin/emby
      - 8227:8227     # pyload
    volumes:
      - ./data_gluetun:/gluetun
      - ./data_gluetun/port_forward:/tmp/gluetun/forwarded_port
    environment:
      - VPNSP=private internet access
      - TZ=Europe/London
      - USER=${PIA_USER}
      - PASSWORD=${PIA_PASS}
      - REGION=${PIA_REGION}
      - PORT_FORWARDING=on
      - FIREWALL_OUTBOUND_SUBNETS=192.168.1.0/24
      - HTTPPROXY=on
      - SHADOWSOCKS=on
      - SHADOWSOCKS_PASSWORD=${SHADOW_PASS}
    restart: unless-stopped

    and then in the containers I wish to route via the above container I commented any existing network settings and replaced them with network_mode: "container:gluetun".

    For automated letsencrypt certificates and reverse proxy to access from outside local network I use https://github.com/jc21/nginx-proxy-manager with arm compatible mariadb yobasystems/alpine-mariadb:latest running on a RPi4b with 64bit ubuntu server.